A new wave of IT outsourcing by banks raises some important questions for regulators.

Financial Regulatory Observer (FRO): Why is outsourcing back at the top of the agenda for banks and supervisory authorities?

Andreas Wieland (AW): The first driver is the weak profitability of many banks, notably in Europe. While income from interest is plummeting, regulatory costs are sky-rocketing. Banks are forced to cut their cost base in order to thrive in the current highly competitive market. The existing IT structure of many banks is often outdated, too complex and therefore extremely costly. Banks need new and modernized IT systems, not only to cut costs but also to gain or maintain a competitive edge.

Jost Kotthoff (JK): Another key aspect driving outsourcing is digitalization and technical innovation. The uses of cloud services, grid computing and the distributed ledger technology (blockchain) are the most obvious examples of this, but there are other themes. Fintech companies and new challenger banks with innovative business models and lower cost structures are increasingly competing against traditional banks. These developments mean that for many banks the modernization of their IT systems has become the highest strategic priority at a time when banks have become more reliant on technology than ever before. The modern bank is often nothing more than a small people-driven front office and a huge automated and IT-based middle and back office. Nothing happens without the involvement of IT.

AW: Given this unprecedented degree of reliance on technology, it is not surprising that supervisory authorities focus more and more on IT risks. The monitoring and management of IT risks are today the key challenges for the risk management of financial institutions. In Europe, the European Central Bank (ECB) and other supervisory authorities have placed an increased focus on the IT infrastructure of banks and their vulnerabilities. Their central concern is that many banks rely on a multitude of complex, proprietary, individual and outdated solutions. The ECB has started to examine the IT infrastructure of many of the large banks. Many observers expect that this will increase the pressure on banks to increase and accelerate their investment in IT.

FRO: How about cloud-based solutions? Are banks ready to embrace the new technology?

JK: Definitely. The large IT providers are currently marketing their new cloud products to the financial industry. These cloud solutions are extremely attractive for banks, both from a technological and cost perspective. We see more and more banks looking into moving data and functionalities into the cloud. Cloud solutions allow "pay-as-you-go" models and flexible and automated IT infrastructures, which enable banks to achieve significant cost savings and decisive competitive advantages. The technology further enhances the innovation process within the bank and decreases the "time-to-market" for new products.

AW: But the question is: Are regulators sufficiently prepared for the new technology? From a regulatory standpoint, many IT-related contracts qualify as outsourcing of essential services. Most supervisory authorities have issued a detailed framework for the outsourcing of essential services. These include features like comprehensive information and audit rights by supervisory authorities, detailed rules on sub-delegation, and, in some jurisdictions, on the instruction rights of the service recipient. The new cloud solutions can to a certain extent adapt to these requirements. But it is clear that some of these requirements cannot be implemented in the way we have become used to in the pre-cloud world. So far, many supervisory authorities have not issued specific guidance on how to implement regulatory requirements in a cloud world.

JK: Some supervisors, such as the Financial Conduct Authority (FCA) in the UK and the Monetary Authority of Singapore (MAS), have recently issued new guidelines for cloud solutions. In our view, it is very important that regulators and supervisory authorities develop clear and uniform regulatory standards for cloud solutions. This would provide a catalyst for banks to embrace the new technology and realize the related efficiency gains.

AW: In Europe, the European Banking Authority (EBA) recognizes the need for further harmonization and regulatory guidance. In May of this year, the EBA launched a consultation on draft recommendations on outsourcing to cloud service providers. The recommendations address some of the relevant supervisory requirements when outsourcing into the cloud. This includes topics like access and audit rights, security requirements, the location of data and data processing, chain outsourcing, contingency plans and exit strategies. It contains some innovative concepts, such as the possibility of conducting grouped audits to fulfill regulatory audit requirements. However, it remains doubtful whether the recommendations in their current form will provide the tailor-made, harmonized regulatory framework for outsourcing into the cloud that financial institutions and service providers hope for in order for them to embrace the new technology. I can only encourage financial institutions and IT providers and their industry associations to actively participate in the consultation.

FRO: What are the main challenges in the negotiation and implementation process for cloud solutions?

JK: In general, service providers render their cloud services on a "one-size-fits-all" basis. From an IT and risk management perspective, the sourcing of cloud services requires a paradigm shift: Rather than relying on a tailor-made IT framework and risk management set-up, the sourcing of cloud services requires the bank to accept standard procedures and to adjust their risk management and control procedures around the cloud product.

AW: This requires the relevant control functions at the bank to be involved at an early stage of the process. In addition, the specific regulatory requirements of the bank need to be reflected in the contractual documentation with the cloud provider. This can be a challenge in the negotiations.

FRO: Are cloud solution providers familiar with the supervisory rules?

AW: From our experience, many of the large cloud providers are aware of the regulatory framework. Some of them offer special regulatory packages to banks that are supposed to allow them to meet their regulatory requirements. Still, banks cannot assume these packages fully reflect their particular regulatory needs.

FRO: How do international banks cope with the increased regulatory scrutiny around outsourcing?

AW: We now have detailed and sector-specific outsourcing rules throughout the European Union. This includes the Banking Directive, but also legislation like MiFID II, EMIR, UCITS V and AIFMD, which contain very specific outsourcing rules. As a result, we find a fairly harmonized rule book for internationally operating banks. However, the implementation and interpretation of such rules often differs from country to country. In addition, a banking group that also comprises asset managers or MiFID firms has to observe not only the outsourcing requirements for banks, but also for asset managers and MiFID firms. While these rules follow similar patterns in many respects, there are sectoral particularities that need to be kept in mind and may need to be reflected in the documentation.

JK: What is true for Europe becomes even more complex if a banking group is engaged in the United States and Asia, too. In particular in Asia, many countries have specific local particularities for outsourcings in their rule books. If an international banking group wants to roll out an IT solution for its worldwide operations and on a global scale, these country specifics need to be taken into account. We often deal with this challenge by negotiating country-specific schedules.

FRO: How does the new resolution framework influence the regulatory requirements for outsourcings?

AW: The new EU resolution framework for banks has a considerable influence on the structuring of outsourcings and their documentation. The so-called resolvability of a banking group has become one of the crucial areas of focus for supervisory and resolution authorities. This means that the bank needs to ensure that it has continued access to critical outsourced activities even in the event of a resolution involving the bank. Regulators are very focused on how outsourcing arrangements will work in a recovery and resolution environment, particularly for banks that support critical economic functions and use outsourced services to support them. Regulators are subjecting banks to real time reviews and challenges as to the robustness of their legal arrangements including challenging how robust arrangements can be as best as possible legally secured in cross border branch to branch outsourcing, where the same legal entity is involved but different regulators are looking at different physical set ups.

JK: In the outsourcing contract with the external service provider, it must be ensured that in a potential split-up of the bank into a good and a bad bank, the involved entities continue to be able to draw on the services in an uninterrupted way. The European and related national resolution frameworks provide for the respective powers of resolution authorities to ensure this. However, resolution authorities and in some jurisdictions the applicable laws require this to be set out explicitly in the outsourcing contract. Many service providers still are not aware of this requirement, and we spend a lot of time explaining to them why the bank needs respective clauses in the outsourcing contract.